[Samba] Gpo issue

Sam sr42354 at gmail.com
Thu Feb 18 13:39:57 UTC 2016 

Hello,

this error is corrected :

unable to find object for DN 
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP 
Security,*CN=System,CN=System*,DC=ariane,DC=intra - (No such Base DN: 
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP 
Security,CN=System,CN=System,DC=ariane,DC=intra)

By deleting one*CN=System* in the path in this AD entry with ADExplorer.exe.
( It seems to appers when doing a Win 2003 DC Demotion -> 
https://lists.samba.org/archive/samba/2013-July/174585.html )

Now, this commands reports 0 errors ( great! )

root at S4:~# samba-tool dbcheck --cross-ncs --reset-well-known-acls
Checking 7758 objects
Checked 7758 objects (0 errors)

root at S4:~# samba-tool dbcheck --cross-ncs
Checking 7758 objects
Checked 7758 objects (0 errors)

If I create a new GPO The "samba-tool ntacl sysvolcheck" command return 
this error :

root at S4:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/ariane.intra/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Scripts/Logoff 
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) 
does not match expected value 
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
249, in run
     lp)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1730, in checksysvolacl
     direct_db_access)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1681, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1647, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
os.path.join(root, name), fsacl_sddl, acl))

But it can be fix by "samba-tool ntacl sysvolreset" command

...But my gpo doesn't work again... :/
( even with a "samba-ad restart" or a "gpupdate /force" on client pc )

Does someone have a Samba4 DC that comes from a windows 2003 with 
working gpo?

Thanks for helping.

See you.

Sam

Le 17/02/2016 13:52, Sam a écrit :
> also, I'm using a Windows 10 client PC with RSAT tools...
>
> Le 17/02/2016 13:42, Sam a écrit :
>> Hi everybody!
>>
>> I have two samba AD server (  4.2.7-SerNet-Debian-8.wheezy ). I try 
>> to make gpo working but I'm facing some problems...
>>
>> My Samba4 comes from an old windows AD so I have launch these command :
>>
>> samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
>> samba-tool ntacl sysvolreset ( that take about 10 minutes to complete )
>> samba-tool dbcheck --cross-ncs --fix
>>
>> But the following errors still stay on both servers...
>>
>> root at S4bis:~# samba-tool dbcheck --cross-ncs --reset-well-known-acls
>> Checking 7747 objects
>> ERROR: missing GUID component for ipsecOwnersReference in object 
>> CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP 
>> Security,CN=System,DC=ariane,DC=intra - 
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP 
>> Security,CN=System,CN=System,DC=ariane,DC=intra
>> unable to find object for DN 
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP 
>> Security,CN=System,CN=System,DC=ariane,DC=intra - (No such Base DN: 
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP 
>> Security,CN=System,CN=System,DC=ariane,DC=intra)
>> Not removing dangling forward link
>> Please use --fix to fix these errors
>> Checked 7747 objects (1 errors)
>>
>> root at S4bis:~# samba-tool dbcheck --cross-ncs
>> Checking 7747 objects
>> ERROR: missing GUID component for ipsecOwnersReference in object 
>> CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP 
>> Security,CN=System,DC=ariane,DC=intra - 
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP 
>> Security,CN=System,CN=System,DC=ariane,DC=intra
>> unable to find object for DN 
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP 
>> Security,CN=System,CN=System,DC=ariane,DC=intra - (No such Base DN: 
>> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP 
>> Security,CN=System,CN=System,DC=ariane,DC=intra)
>> Not removing dangling forward link
>> Please use --fix to fix these errors
>> Checked 7747 objects (1 errors)
>>
>> At the beginning a "samba-tool ntacl sysvolreset" command did it 
>> works but not for a long time, the only thing I do after was playing 
>> with the RSAT policy tool... then I thinked that was an rsync issue, 
>> but now my sysvol replication work well...
>> Maybe a stupid question but is there a way to recreate sysvol folders 
>> and files?
>>
>> Thanks for your help!
>>
>> Sam
>>
>

More information about the samba mailing list